Well, tacacs or tacacs+ only are used for authentication or authorization
to access routers (for our own maintainnace); FW is used to protect closed
network. They are serving different purposes. There is no real reason to
put FWs in transit network; who cares what kind of traffic go through our
netwrk.
A good closed network design should always avoid things like policy
routing (it can not be fast switched, at least it is the case Cisco
IOS 11.1 something); it complicates routing and slow down traffic
signaficantly. since the router is ouside of firewall, in case the roiter
compremised, the fw can lose control of traffic, which it si pupposed to
filetr.
_ming
On Wed, 23 Dec 1998, William Tarkington stated:
> I can understand that :) I've worked for a few global carriers myself. Of
> course on a global level I've never tried to deploy a FW based
> architecture.. I always used Tacacs or something similar and let the
> clients deal with the FW.
>
> The only other way I know to deploy Fw-1 in a large infastructure is to
> place one at ever client connection point (or two as the case maybe). I
> know of one such teclo doing that with a fairly hefty pricetag.
>
> But GateD pretty much sovles the problem of FW needing to participate on
> routing level with a network.
> (Granted GateD isn't the most enjoyible routing engin but it works)
>
> At 10:58 AM 12/23/98 -0500, Ming Lu wrote:
> >You rae using policy routing to redirect traffic. we are global carrier,
> >one thing we hate to do on our backbone is to put policy routing on
> >routers; always try to avoid it.
> >
> >_ming
> >
> >On Wed, 23 Dec 1998, William Tarkington stated:
> >
> >> Policy based routing does indeed have to do with network or host security.
> >> With a cisco I can route everything based on poicy to the firewall. That is
> >> to say if I have two servers on the same local router (2 ethernets) I can
> >> policy route them to the firewall instead of letting it cross the router
> >> uninhibited.
> >>
> >> At 10:19 AM 12/23/98 -0500, Ming Lu wrote:
> >> >On Wed, 23 Dec 1998, William Tarkington stated:
> >> >
> >> >> Now I've watched this descussion bounce around on various lists and
> I just
> >> >> thought I would throw in my two cents worth.
> >> >>
> >> >> 1) One firewall is a single point of falure so lets assume we have two.
> >> >
> >> >than your routing structure will be complicated and costy.
> >> >
> >> >> 2) Now that we have two we can't do a default routae
> >> >
> >> > Not true, one is active and another one tsand by.
> >> >
> >> >> 3) Enter GateD
> >> >> 4) OSPF (or some other modern routing protocal)
> >> >
> >> >GateD supports all of open standard routing protocols, OSPF is one of
> >> >them.
> >> >
> >> >> 5) Problem solved.
> >> >> Now with translation outbound and inbound everyone can talk to each
> other.
> >> >>
> >> >> If you seriously want to get down to business you can of course use
> Cisco's
> >> >> and do policy based routing.
> >> >
> >> >Policy routing gatta nothing to do with network or host security.
> >> >
> >> >> Hurm I hope that answered a question perhaps I am just ranting.
> >> >>
> >> >> Thanks,
> >> >> Will
> >> >>
> >> >>
> >>
> >============================================================================
> >> >Ming Lu Email: [EMAIL PROTECTED]
> >> >Sr. Network Engineer Phone: 703-689-5290
> (w)
> >> >IP Engineering 703-855-4194
> (m)
> >> >Global One Telecommunications, LLT. 703-689-6575
> (f)
> >>
> >===========================================================================
> >> =
> >> >"Do not pay attention to every word people say, or you may hear your
> >> > servant cursing you ---- for you know in your heart that many times you
> >> > yourself have cursed others."
> >> >
> >> >
> >> >
> >> William Tarkington
> >> Daimler Chrysler
> >> 810-758-9563
> >>
> >>
> >
> >============================================================================
> >Ming Lu Email: [EMAIL PROTECTED]
> >Sr. Network Engineer Phone: 703-689-5290 (w)
> >IP Engineering 703-855-4194 (m)
> >Global One Telecommunications, LLT. 703-689-6575 (f)
> >===========================================================================
> =
> >"Do not pay attention to every word people say, or you may hear your
> > servant cursing you ---- for you know in your heart that many times you
> > yourself have cursed others."
> >
> >
> >
> William Tarkington
> Daimler Chrysler
> 810-758-9563
>
>
============================================================================
Ming Lu Email: [EMAIL PROTECTED]
Sr. Network Engineer Phone: 703-689-5290 (w)
IP Engineering 703-855-4194 (m)
Global One Telecommunications, LLT. 703-689-6575 (f)
============================================================================
"Do not pay attention to every word people say, or you may hear your
servant cursing you ---- for you know in your heart that many times you
yourself have cursed others."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
